- •In performing an external network security assessment, which of the following should be normally be performed first?
- •Vulnerability scanning
- •In performing a risk-based audit, which risk assessment is completed initially by the is auditor?
- •Inherent risk
- •Informal peer reviews
- •In order for management to effectively monitor the compliance of processes and applications, which of the following would be the most ideal?
- •Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
- •Imagine a company…
- •Imagine a system failure…
- •IaaS – Infrastructure as a Service, it provides cloud-based processing, storage, network and other fundamental computing resources
- •Vital: Can be performed manually for very short time
Imagine a system failure…
Server failure
Disk System failure
Hacker break-in
Denial of Service attack
Extended power failure
Snow storm
Spyware
Malevolent virus or worm
Earthquake, tornado
Employee error or revenge
How will this affect each business?
First Step: Business Impact Analysis
Which business processes are of strategic importance?
What disasters could occur?
What impact would they have on the organization financially? Legally? On human life? On reputation?
What is the required recovery time period?
Answers obtained via questionnaire, interviews, or meeting with key users of IT
Event Damage Classification
Negligible: No significant cost or damage
Minor: A non-negligible event with no material or financial impact on the business
Major: Impacts one or more departments and may impact outside clients
Crisis: Has a major material or financial impact on the business
Minor, Major, & Crisis events should be documented and tracked to repair
Prediction of major event!!
Definitions
Business Continuity: Offer critical services in event of disruption
Disaster Recovery: Survive interruption to computer information systems
Alternate Process Mode: Service offered by backup system
Disaster Recovery Plan (DRP): How to transition to Alternate Process Mode
Restoration Plan: How to return to regular system mode
Classification of Services
Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
Alternative Recovery Strategies
Hot Site: Fully configured, ready to operate within hours
Warm Site: Ready to operate within days: no or low power main computer. Does contain disks, network, peripherals.
Cold Site: Ready to operate within weeks. Contains electrical wiring, air conditioning, flooring
Duplicate or Redundant Info. Processing Facility: Standby hot site within the organization
Reciprocal Agreement with another organization or division
Mobile Site: Fully- or partially-configured trailer comes to your site, with microwave or satellite communications
Cloud Computing models
SaaS – Software as a Service, it provides cloud-based applications through web browser
PaaS – Platform as a Service, user can develop applications by using cloud-based tools and infrastructure
IaaS – Infrastructure as a Service, it provides cloud-based processing, storage, network and other fundamental computing resources
ASP – Application Service Provider, provides applications on a dedicated server
END
Business Continuity Process
Perform Business Impact Analysis
Prioritize services to support critical business processes
Determine alternate processing modes for critical and vital services
Develop the Disaster Recovery plan for IS systems recovery
Develop BCP for business operations recovery and continuation
Test the plans
Maintain plans
Criticality Classification